Security analysts are a lot like detectives. During security incidents and investigations, they need to get to “whodunit” as quickly as possible. This is complicated, especially when mountains of security-relevant data are constantly being produced. Context is key: one piece of information by itself may mean nothing, but then again, it may become a very important piece of a larger puzzle.
Dynamic Incident Response Guidance – for Every Alarm
Defend Against New Threats with Intelligence from Zartek Global Labs
Being a security analyst isn’t easy. You don’t have all day to research new exploits. But it turns out Zartek Global Labs is a team dedicated to doing just that. In addition, there are often so many items to respond to, it’s hard to know what to do next. Zartek Global’s dynamic incident response guidance and it’s vigilance in discovering new malicious hosts and exploits can help you.
For each alarm that is generated by the Zartek Global USM™ event correlation engine, customized step-by-step instructions are listed in our console. By providing contextually relevant workflow-driven response procedures, analysts know exactly what to do next. The Zartek Global Labs research team has curated these how-to-respond instructions based on rich CSIRT experience, as well as our own threat intelligence.
For example, an alert might identify that a host on your internal network is attempting to connect to a malicious external host. The dynamic incident response guidance would include details about:
- The internal host such as owner, network segment, and software that is installed
- The network protocol in use and specific risks associated with it
- The external host and what exploits it has executed in the past
- The importance of identifying potential C&C (command and control) traffic
- Specific actions to take for further investigation and threat containment – and why you should take them
Security Intelligence in Action
To demonstrate the power of Zartek Global’s unified security intelligence, consider the following example:
- A port scan is detected by your firewall.
- The source address of the scan is correlated with the destination address of an SSH session from an internal host. A lookup in USM’s asset inventory automatically identifies the risk profile of the internal host – the host is critical to business operations creating a critical security incident.
- The compromised host is then scanned for other vulnerabilities from within USM and it is found to be missing a critical security patch.
- The compromised host is patched and returned to service.
- A complete forensic analysis for the past 30 days is run for the compromised host to determine if additional corrective action is required.
- The incident is anonymized and reported to the Zartek Global Labs so other Zartek Global installations are protected from a similar exploit. Note: this step is optional, as you can opt-in to share this information.
This whole process is run from Zartek Global’s unified management console.
Threat analysis is a demanding, time-consuming exercise for security practitioners. It requires you to stay current with the latest threats, techniques, and vulnerabilities. To do so you need a massive threat data collection process that is global in scale, advanced analytical capabilities to process the data, and time. Done properly, the output of threat analysis is threat intelligence: information about malicious actors, their tools, infrastructure and methods.
To avoid spending countless hours that your IT team doesn’t have in attempting to develop actionable threat intelligence, you need a security solution that conducts threat analysis for you.
The Zartek Global Unified Security Management™ (USM) platform delivers five essential security capabilities in one platform, as well as built-in threat intelligence from Zartek Global Labs. This provides you with everything you need to detect threats, prioritize response, and manage compliance.
Zartek Global USM™ accelerates and simplifies your ability to detect and analyze threats by receiving relevant, timely, and actionable threat intelligence from Zartek Global Labs.
- Locate all the assets on your network
- Identify the vulnerable systems and prioritize remediation
- Detect malicious activity targeting your network
- See a prioritized view of the most significant threats targeting your network
- Drill down and investigate risks for additional context and remediation guidance
Actionable Threat Intelligence Requires Effective Threat Analysis
Effective threat analysis is a demanding yet essential process for generating quality threat intelligence. It requires you to collect a large volume of diverse threat data in real-time, and analyze the behavior to understand the intent of the malicious activity.
You need multiple security tools and data sources to amass the threat data, and then you need to build processes and systems on top of those tools to effectively analyze that data to generate actionable information. Additionally, you need to build your systems to conduct automated analysis, as there is simply too much data to process manually.
To detect patterns of behavior, you need to curate the threat data and combine it with supplemental information about the evolving threat landscape, effectively tuning your security program to detect and respond to threats.
And once your systems and tools have surfaced the relevant data and information, you also need human expertise to interpret the data. Armed with this detailed understanding of malicious actors’ tools, infrastructure, and methods, you can tune your security tools to incorporate the relevant information and detect the latest threats.
Global Visibility from Diverse Data Sources
Zartek Global collects millions of threat indicators daily via the Open Threat Exchange™ (OTX), the world’s largest crowd-sourced repository of threat data, and other external sources. We curate the data and combine it with additional information about attackers’ tools, infrastructure, and methods to detect malicious behaviors — true threat intelligence.
Zartek Global follows a multi-phased threat analysis process to generate Zartek Global’s threat intelligence. The first phase is data collection.
We collect over 3 million threat indicators every day, including malicious IP addresses and URLs, domain names, malware samples, and suspicious files. We aggregate this data in OTX from a wide range of sources, including:
- External threat vendors
- Open sources
- High-interaction honeypots that we set up to capture the latest attacker techniques and tools
- Community-contributed threat data in the form of OTX “pulses”
- USM and OSSIM users voluntarily contributing anonymized data
Applying a Human Touch
The final phase of the threat analysis process is to engage the Zartek Global Labs research team to conduct deeper qualitative and quantitative analysis on the threats. For example, they will reverse-engineer a malware sample, or conduct extensive research on particular threat actors and their infrastructure, to detect patterns of behavior and methods.
The Zartek Global Labs team delivers all relevant information about the threats and the attack infrastructure to the USM platform via the Threat Intelligence subscription. They regularly update 8 coordinated rule sets, which eliminate the need for you to tune your systems on your own.
These rule sets include:
- Correlation directives – USM ships with well over 2,700 pre-defined rules that translate raw events into specific, actionable threat information
- Network IDS signatures – detect the latest threats in your network
- Host IDS signatures – detect the latest threats targeting your critical systems
- Asset discovery signatures – identify the latest operating systems, applications, and devices
- Vulnerability assessment signatures – find the latest vulnerabilities on your systems
- Reporting modules – provide new ways of viewing data about your environment and satisfying auditor and management requests
- Dynamic incident response templates – utilize customized guidance on how to respond to each alert
- Newly supported data source plugins – expand your monitoring footprint by incorporating data from third party tools
USM’s integrated threat intelligence from Zartek Global Labs eliminates the need for you to spend precious time conducting your own research. Unlike single-purpose updates focused on only one security control, Zartek Global Labs Threat Intelligence service delivers regular TI updates to the USM platform which accelerates and simplifies threat detection and response.
Accelerate Log Analysis to Pinpoint Threats and Simplify Log Management
One of the most overlooked and underutilized tools that you can use to secure your network is log analysis. You can almost always find evidence of an attack in the logs of network devices, servers, and applications. However, if you are not performing regular analysis and effectively managing these logs, many threats may go unnoticed.
One of the core capabilities of Zartek Global’s USM™ platform is its ability to automatically aggregate and manage log data from its built-in detection capabilities (as well as logs produced by legacy devices in your environment). It then automatically executes advanced analysis, producing normalized events and correlating them to produce actionable intelligence, alerting you to any threats facing your environment.
With Zartek Global USM, you get all of the features and functionality you expect from security log analysis and management including:
Event Correlation with Regularly Updated Threat Intelligence
- Integrated SIEM functionality automatically correlates log data from different data sources
- Regular updates to threat intelligence automatically spots the latest threats
Log Analysis Simplified with Intuitive UI and Open Plugin Architecture
- Advanced filter and search features enable fast, accurate forensic threat analysis
- Over 200 plugins included to parse logs from the most common data sources, with the ability to customize and/or create your own if needed
Multifunctional Security Log Management and Reporting
- Granular visibility into raw logs with query-based search functionality; simplifies forensic analysis compliance audits
- Digitally signed and hashed logs protect file integrity; identifies attempts of tampering
- Robust reporting engine with ability to customize and easily schedule reports
Event Correlation with Regularly
Updated Threat Intelligence
Anyone who has had to manually configure a SIEM knows that, while it can be frustrating, getting your environment’s different devices and services to send data to a collection point is not the difficult part. Most network gear, operating systems, and applications have built-in functionality to export data into the syslog format, a widely used logging standard.
The difficulty is in the actual log analysis and management of the data you’re provided with. Threat research and analysis is a full-time job in most large IT organizations so, unless you have a team investigating threats and regularly developing intelligence, you’re at a severe disadvantage.
One of Zartek Global USM’s core capabilities is a powerful SIEM with integrated analytical tools that normalize and correlate data to produce actionable intelligence. Rather than presenting you with only a list of events for you to search and filter through, Zartek Global USM’s automated log analysis and management software can produce alarms to alert you of attacks and other security events occurring in your environment.
You receive regular updates to the advanced event correlation from our in-house team of security experts, Zartek Global Labs. This group of security threat researchers is constantly on the lookout for new attack methods, traffic patterns, and malware associated with malicious activity. The regular updates to the Threat Intelligence in Zartek Global USM include correlation directives, IDS signatures, vulnerability assessment data, knowledge base articles, and reports.
Log Analysis Simplified with Intuitive UI and Open Plugin Architecture
Different use cases require different approaches to security log analysis and management. For instance, historical analysis of compliance or adherence to policy calls for an easy-to-use interface and ability to filter down to a granular level (i.e. all authentication events involving assets storing cardholder data transpiring during the last 3 months). Doing this quickly allows for faster analysis and, in turn, the ability to swiftly develop new policies/procedures to address the offending behavior.
One potential challenge that can arise when instrumenting a log analysis or management solution is when parsing and normalizing incoming logs using plugins. While most devices output log data in a standardized format, some logs are structured differently, contain extra pieces of information, or fail to adhere to any known format. Some SIEM/security platforms come with a limited set of plugins and do not offer users the ability to customize plugins for other data sources.
Zartek Global USM comes with over 200 plugins used to parse data from today’s data sources, meaning you’re able to start monitoring your environment immediately after deployment. These out of the box plugins are compatible with most major devices and applications like network gear (firewalls, UTM, routers, wireless access points), as well as endpoint protection, web servers, and external detection methods. For newer devices, custom implementations, or anything else that exports a text-based log, Zartek Global USM’s open plugin architecture makes it simple to create your own plugin.
Multifunctional Security Log Management and Reporting
Some regulatory compliance standards require that you store logs in their raw state for a particular amount of time as well as provide for the export of this data for external analysis. Similarly, some audits (in-house or regulatory), can only be performed via queries to logs in their raw state. While some security log analysis and management software solutions can certainly ingest these raw logs, very few retain the log data in its original state, or give you the ability to export the data.
Zartek Global USM features a logger as one of its main architectural components that stores log files and other data for extended periods of time. Using the built-in policy editor, you have complete control as to which logs are stored and for how long. You can also utilize policies to choose a specific set of events to go straight to the logger, bypassing the SIEM. This is helpful for non-essential events and logs that you need to retain for regulatory or even internal compliance requirements.
In addition to the raw log storage requirement, most compliance standards require that you enable controls to prevent the tampering of these logs. The Zartek Global USM platform incorporates the ability to digitally sign the logs at the block or line level, ensuring that the logs you have stored have not been modified since their creation.
Another key feature of Zartek Global USM that aides in log analysis and management is the reporting console. In addition to reporting on your monitored assets’ events, alarms, states of compliance, etc., you have a way to report on the activity happening on the Zartek Global USM platform itself. While it sounds a bit recursive, this allows you to monitor your monitoring solution and certify compliance with your security policies and practices.